Host Identity Protocol for Linux

Have you ever wondered why your multimedia streams stop working after you switch to a different network with your laptop? Have you thought about why setting up a server on your home network behind a NAT is so awkward or even impossible? Host Identity Protocol for Linux (HIPL) offers a remedy to these and other problems.

2. Security—Authentication and Encryption

HIP authenticates and secures
communication between two hosts. HIP
authenticates hosts and establishes a symmetric
key between them to secure the data
communication. The data flow between the end
hosts is encrypted by IPsec Encapsulating
Security Payload (ESP) with the symmetric key
set up by HIP. HIP introduces mechanisms, such
as cryptographic puzzles, that protect HIP
responders (servers) against DoS attacks.
Applications simply need to use HITs instead of
IP addresses. Application source code does not
need to be modified.

3. Mobility

HIP provides transparent mobility support
for existing network applications. TCP
connections are bound to HITs instead of IP
addresses. HITs do not change for a given host.
HITs are further mapped to IP addresses. When an
IP address changes, new mappings between the HIT
and the new IP address are formed. When a host
moves to a new network and obtains a new IP
address, the host informs its peers about its
new IP address, and TCP connections are
sustained.

4. NAT Traversal

WLAN access points and broadband modems
employ NATs due to the lack of IPv4
addresses. However, you have to configure your
NAT settings manually if you want to use P2P
software or connect to your computer behind
a NAT.
It may even be impossible if your ISP employs a
second NAT.

With HIP, hosts can address each other
with HITs across private address realms of NATs.
HIP makes use of two alternative NAT traversal
technologies, ICE and Teredo, to traverse the
NATs. Setting up a server behind a NAT using HIP
does not require manual configuration of the
NAT. The HIPL on-line manual
infrahip.hiit.fi/hipl/manual/ch21.html describes the details.

Name Lookup Support

The InfraHIP site offers free services for the
HIP community. For example, you can register
your HIT to the DNS or Distributed Hash Table
(DHT). The site also offers free HIP forwarding
services to assist in NAT traversal and locating
mobile nodes.

How HIP Works

The Host Identity Protocol architecture
(Figure 1) defines a new namespace, the Host
Identity namespace, which decouples the name
and locator roles of IP addresses. With HIP, the
transport layer operates on host identities
instead of IP addresses as endpoint names. The
host identity layer is between the transport
layer and the network layer. The responsibility
of the new layer is to translate identities to
routable locators before a host transmits the
packet. The reverse applies to incoming packets.

Figure 1. The Host Identity layer is located between
the transport and network layers.

Protocol Overview

The actual Host Identity Protocol (HIP)
is composed of a two round-trip, end-to-end
Diffie-Hellman key-exchange protocol, called
base exchange, mobility updates and some
additional messages. The networking stack
triggers the base exchange automatically when an
application tries to connect to an HIT.

Figure 2. HIP Base Exchange

During a base exchange, a client
(initiator) and a server (responder)
authenticate each other with their public
keys and create symmetric encryption keys for
IPsec to encrypt the application's traffic. In
addition, the initiator must solve a
computational puzzle. The responder selects the
difficulty of the puzzle according to its load.
When the responder is busy or under DoS attack,
the responder can increase the puzzle difficulty level
to delay new connections.

HIP provides a mechanism similar to base
exchange to handle IP address changes. When a
host detects a new IP address, it informs all
its peers of the address change. The hosts
adjust their IPsec security associations
accordingly, and the applications running on the
hosts continue sending data to each other as if
nothing happened.

Figure 3. HIP Mobility Updates

When two hosts are connected to each other using
HIP and one of them moves, the mobile host tells
its current location to the other. If both
hosts move at the same time, they can lose
contact with each other. In this case, an HIP
rendezvous server assists the hosts. The
rendezvous server has a fixed IP address and,
therefore, it offers a stable contact point for
mobile hosts. The rendezvous server relays only
the first packet, and after the contact, the
hosts can communicate with each other directly.
HIP includes another similar
service, called HIP Relay, that forwards all HIP
packets to support NAT traversal.

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.